What’s your threat model? (Threat Pyramid)

I’ve been thinking about security again. Between the “freedom fondle” at my trip to Las Vegas, the recent Gawker “oops”, and work, I’ve been revisiting the idea of the “threat pyramid”. This is a concept that I created for a security evaluation I performed for a job back in the early 90s.

The idea is that there are more people (and tools) capable of being at threat at the lower levels of capabilities, and fewer higher levels of sophistication.

For example, there are potentially millions of “script kiddies” who can use easy to find and easy to use attack tools. I recently dealt with a case where a 16 year old had downloaded “shrink wrapped” Botnet tools (with a convenient Windows GUI) to attack a site. The tool did everything from create a customized malware package, through basic SPAM distribution to managing the botnet command and control.

As you move up in the pyramid, you have fewer people (or groups) capable of being a threat, but they have more capacity to be a threat. They will be creating more sophisticated tools, and will require more capable (hence expensive) defenses.

At the top pf the pyramid, you have “government” level threats. These are well-funded, technically sophisticated groups that are likely to target specific high-value targets. Could be a government, or just a well-funded criminal enterprise. This is now sometimes being characterized as the “Advanced Persistent Threat (APT)”, which is actually a pretty good term. While at a prior job, I met the leader of one of these groups, who worked for a government agency. Their goal was to be able to enter a high-value target, get everything they wanted, and get out without detection. Their motto was “one packet, one kill”. They were quite content to map out a specific target over weeks or even months, then get in, get the data and get out in just a few minutes (if not seconds).

So, how does this apply to you, or your organization?

You can split the threat pyramid into at least three regions based on who you think is your adversary, their capabilities and your budget (or determination).

At the very bottom are the threats that are pretty much beneath your notice. The normal “background radiation” of the Internet. Things that will hit you defenses and bounce off. Things that are so common that it isn’t worth people time to notice. Consider things like the constant port scans that are going on all the time that are blocked by your perimeter routers and firewalls. They never get past the perimeter, they are constantly going on, and they aren’t something that you’re ever going to do anything about them, except maybe count them for some management report. Defenses here are well-understood, affordable and considered a requirement for living on the modern Internet. If you get owned by one of these threats, there’s really no excuse.

At the very top are those threats that you’ll just never see. They might own you, but you’ll never know it, at least not until after the attack has come and gone, If a government decides that you’re an interesting target, they”ll get in, and you’ll likely never even know it. There’s literally nothing you can do (or afford to do) to defend against this threat. This is a risk that you’ll just have to accept.

It’s the middle where things get interesting. This is the area where you have to do the thorough analysis, and make tough decisions about which protections you need, which you can afford, and which your organization will tolerate. This is the area that most security efforts should be focused, and where there is also the most uncertainty. This is where all the tradeoffs have to be made.

So, how does this apply to you? Think about your own threat pyramid. Make sure that you have the lower levels covered. Then decide how high you want to raise the bar. Too low and you get owned by an easily preventable threat. Too high and you may not be able to afford the defenses, or you’ll spend too much time and money worrying about a threat that you really just can’t defeat.